After the organization have defined its overall security strategy, created and implemented security policies and procedures, defined security roles and responsibilities, and secured management support for a security awareness or security culture program it is time to begin the program implementation. At this point we’ll have an idea of the organization’s intended security culture and we will use the security culture program to help create and maintain that intended culture.
There are several valid implementation processes or frameworks that we can use. The Security Awareness Cycle is based on my own award-winning graduate project work and offers a complete continuous cycle for implementing and maintaining a Security Awareness program that includes means for continuous improvement and for measuring the success of the program. The concepts behind the Security Awareness Cycle is to create a step by step process that takes you through the entire journey from the first steps of creating and collecting baseline Security Awareness metrics to delivering the message to your target audience and that, when repeated, provides the means for properly identifying areas in your program that needs additional focus or improvement.
Step 1: Metrics
The first step in the Security Awareness Cycle is to collect metrics in order to establish a baseline to measure your Security Awareness Program against so that you, in later iterations, can measure the success of your program and so that you can identify areas in need of improvement.
Step 2: Identifying and Understanding your Audience
The second step in the Security Awareness Cycle is to identify and gain an understanding of your audience. In this step you should be identifying the various audiences or groups within your organization. The purpose of this exercise is to outline each group so that you can properly identify their unique Security Awareness needs. Each group within organizations, and in some cases individuals within each group, will have unique Security Awareness needs. Executive leadership or senior management, who are ultimately responsible for accepting residual risks on behalf of the organization, will have different Security Awareness needs than for example the Accounting department or the Human Resources department. The Human Resources department, who may be dealing with health insurance and other Personal Identifiable Information (PII), will have different needs than for example the Information Technology department. Once you have an understanding of whom your audience is and what their needs are it is important to gain an understanding of how they learn in order to best deliver Security Awareness. We can draw from theories from Educational Psychology to help us with this. People have different cognitive skills, which mean that each person’s ability to learn, and digest new information and knowledge, differ from one another. People also have different styles of learning. Some people prefer a spatial teaching style where the use of images and other visual tools are used in the learning process. Other people may prefer an aural teaching style where the information is delivered in spoken form and some prefer a logical teaching style where logic and reasoning is used in the learning process. And lastly, people have different mental models where we all have a different thought process and understanding of the relationship between our work, the tasks we do, the tools we use, risks, threats, and actions; and how these affect one another. Having an understanding of this will help when developing Security Awareness support materials for the various groups to make sure it encompasses all the various learning styles.
Step 3: Identifying High-Risk and Desired Behaviors
The third step in the Security Awareness Cycle is to identify behaviors. Security Awareness is all about changing high-risk behaviors and reinforcing desired behaviors in order to reduce and mitigate security risks to the organization.
Step 4: Identifying Solutions to Facilitate Behavioral Change
The fourth step in the Security Awareness Cycle is to identify solutions to mitigate the risk or to facilitate a behavioral change. This is where you need to decide how you want to handle the risks identified in the previous steps. These solutions typically take shape either as a policy, procedure, or guideline; however, in some cases might be supplemented by a hardware implementation or software deployment.
Step 5: Creating Security Awareness Material
The fifth step in the Security Awareness Cycle is to create the Security Awareness material, which could take form as email templates, newsletters, posters, screensavers, PowerPoint presentations, and others. The chief purpose of this material is to support the delivery of Security Awareness and training. This is also where the topic is chosen. What topics will the material support? Traditional examples include Viruses and Malware, Phishing Attacks, and Social Engineering attacks; but equally important, topics are chosen based on the analyses conducted as part of the previous phases of the Security Awareness cycle. Step 1 “Metrics” will determine areas that need attention and improvement. Step 2 “Identifying and Understanding your Audience” will determine training needs that are unique to the various groups within the organization. Step 3 “Identifying High-Risk and Desired Behaviors” will determine topics based on employees high-risk behaviors we want to reduce, or mitigate, and it will identify desired behaviors we want to reinforce. The topics identified in these initial phases are often unique to each organizations depending on their size, industry, and structure.
Step 6: Delivering the Message
The sixth and final step in the Security Awareness Cycle is to deliver the message. In this phase Security Awareness material is delivered to the audience, i.e. your employees. The delivery can take place via many different mediums such as via email, newsletters, computer based training (CBT), presentations, group sessions, and so forth. It is important that mediums are chosen across all spectrums in order to accommodate the various learning styles and it is important to choose mediums that are not already saturated.
Tom Mannerud is an Information Technology Manager, Security Researcher, and Educator living in beautiful Tampa, Florida. He has held a wide variety of IT management and security leadership roles for global organizations and has experience both leading and working with multi-national teams both on land and at sea. He holds a Master of Science in Information Security and Assurance and is a GIAC Certified ISO-27000 Specialist from SANS. Tom is also a member of the FBI InfraGard and the Information Systems Security Association.
The text and images of this page is available for modification and reuse under the terms of the Creative Commons Attribution-Sharealike 3.0 Unported License and the GNU Free Documentation License